> On Jan 24, 2018, at 17:05, Wayne Thayer via dev-security-policy > <dev-security-policy@lists.mozilla.org> wrote: > > We could still choose to set that date in our own policy if the ballot were > to fail. The reasoning behind that date has been discussed on the > CA/Browser Forum lists. I would summarize the argument as (1) a number of > smaller CAs rely solely on 3.2.2.4.1 and (2) those that have commented > agreed that 6 months was enough time to migrate away from it.
While these CAs might want six months, it’s not clear that a good argument has been made for this. Let’s Encrypt stopped validating using the TLS-SNI-01 method under two hours after learning that there was a *potential* security vulnerability in the validation method. Why should we expect any less from other CAs? We should err on the side of protecting users, not CAs using insecure validation methods that don’t even stand up to a small amount of adversarial scrutiny. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
